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The problem of detecting linear attacks on industrial systems is presented in 
this paper. The object is attacked by linear attack is the wireless 
communication process from sensors to controller with simulated 
mathematical model (stochastic dynamical systems and random noises). The 
attack matrices are calculated to ensure that Kullback-Leiber (K-L) 


algorithm is passed. With these matrices, the window limited cumulative 

SUM (WL-CUSUM) algorithm and finite moving average (FMA) algorithm 
Keywords: are utilized to detect the changes in the sequence of residuals generated from 
Kalman filter method and are appreciated the ability to detect the linear 
attack. The simulated results show that an appropriate range of threshold of 
the WL-CUSUM and FMA algorithm can be chosen to detect the linear 
attack in case the K-L method cannot detect. Moreover, tested results using 
the Monte Carlo simulation also show that the evaluation performance of the 
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WL-CUSUM FMA detection algorithm is better than that of WL-CUSUM, CUSUM, and 
Chi-squared (Chi2). 
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1. INTRODUCTION 

Distributed control systems (DCS) are widely used in a lot of fields of industry, such as electric power 
grids, chemical factories, paper or food factories. It is very important to retain the good operation of data 
processing, data collection and secureing the data integrity in such systems. The operation of DCS depends on 
communication networks because of their geographically dispersed characteristics. So it can attack DCS at a lot 
of points [1]-[13]. From 2017, in [5]-[7], [10] initiated a type which changed the data transmitted from sensors 
to controllers in a DCS. The attack is a typical cyber/physical attack and proven to be very dangerous. Some 
attack detection algorithms, such as Chi-squared (Chi2) algorithm in several cases or Kullback-Leiber (K-L) 
algorithm in any case [5], [6] and traditional abrupt change detection algorithms can be passed. It can attack any 
system during a short period due to the resources limit, leading to the change in the parameter of short duration. 
Therefore, it is necessary to check algorithms to detect dangerous attack on short signals (transient change) 
before they disappear. 

This paper focus on the detection of linear attack in DCS. Detecting linear attack is a kind of the fault 
detection and isolation (FDI) problem. FDI detects whether faults have appeared and identify the types of the 
faults from systems states under the affection of random noises. It consists of two steps, that is generating and 
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evaluating residual. The residuals are first generated by using Kalman filter. These residuals, then, are evaluated 
by detection algorithms, such as finite moving average (FMA), window limited cumulative SUM (WL- 
CUSUM), CUSUM, Chi2, and fixed-size sample (FSS). These algorithms are applied in case the expectation 
and the variance of the system are known when occur abnormal changes. Besides, we can use weighted 
likelihood ratio (WLR), generalized likelihood ratio (GLR) in case the expectation and the variance of the 
system are unknown when there are abnormal changes. In our paper, the attacked object by linear attack is a 
wireless communication process from sensors to controller as shown in Figure 1. 


Wireles | 
Network | 


Figure 1. Diagram describing the linear attack’s position 


Inherited our published research results [14], [15], in this paper we compare WL-CUSUM, FMA, 
CUSUM, and Chi2 algorithms on the linear attack detection ability, to confirm the effectiveness of these 
algorithms. The Chi2 algorithm only utilizes the data before an unusual alteration, while the data both after 
and before an unusual alteration is utilized by the CUSUM, WL-CUSUM, and FMA [16]. The next parts of 
the paper are arranged as follows: the section 2 presents a general view of the linear attack, K-L, CUSUM 
and Chi2 detection algorithms. WL-CUSUM and FMA detection algorithms are shown in the section 3. 
Discussions on application of WL-CUSUM and FMA are shown in section 4 and section 5 presents some 
conclusions and our future works. 


2. LINEAR ATTACK, K-L, CUSUM AND CHI-SQUARED DETECTION ALGORITHMS 

Perpending a DCS with the linear attack point presented in Figure 1, which impacts the wireless 
transmission data at the output of sensor [5]. Input signal and the relationship between input and output of the 
sensors can be performed as in (1) [5]. 


Xk+1 = AX, + Wk; Yk = CxX_ + Vy (1) 


Where: xg E Ris the process states; Yẹ E Ris the sensor’s output signal; wp E R”, wg ~ N(0, Q) is white 
noise acted on state variable; v, E R™,v, ~ N(0,R) is gaussian noise, white noise that acted on sensors; 
R > 0; Q = 0 are covariance matrices of white noise; %;,,X;, are estimations of the remote estimator’s state 
when not assaulted and having assaulted , respectively; A € R"*",C € R*™ are system matrices; P is the 
estimation of the covariance at steady state; k € N is the index of each variable. 

When having not attacked, it is easy to write the estimation of sensor output bias as in (2) [5], [17]. 


Zk = Yk — CÈR; Ze ~ N(0; X); Z = CPC" +R; E[z,27] = Ovi +j (2) 


Where E [zi z7] is the expected residual components Zg. When having attacked, the sensor’s output signal is 
modified, and be described as in (3). 
Vie = Žr + CXR (3) 


The K-L detection is founded on the fundamental of computing the difference between two strings 
of accidental values and be described as in (4) ) [5], [18]. 


fz) 


D(Zx\ (Ze) = Í fz00) log fz00 


dx (4) 


Where fz, (x) and fz, (X) are the density functions of Z,and zę. When D is higher than a threshold ô, the data 
is considered as being attacked, which expressed in (5). 


D(Zx||Z,) < 6 > not assaulted D(Z||Z,.) > ô > assaulted (5) 
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Where ô is the K-L algorithm’s detection threshold. 
Based on [5], through the influence of linear attack, the signals of sensor are changed into, as shown 
in (3) and (6). 


Zp = TkZgę + bę (6) 


Where Tẹ E R™*™ is linear attack matrix; bẹ ~ N (0, I) is Gaussian random variable. The linear attack can 
pass the K-L detection test when attack matrices T,, Ig can be determined and satisfied (7) [5]. 


min Tr(CPPCT EIT) 
k. ab 
Ë Py = Ëk — TET (7) 
<0 
ive y7! 


Based on the convex plan principle of Karush-Kuhn-Tucker, the relationship of two thresholds 
u and 6 is expressed in (8) [5]. 


u(STr(25,) -= +2log £L- 6) =0 (8) 


Eel 
Where 4 > emn Ai and 1i, åz, ---, Am are the eigenvalues of K7KZ; Kis the Kalman coefficient matrix, 
<i<m 
Tr(S~15;,) is the matrix’s trace 3~15',. So, for each value ô of the K-L algorithm, the appropriate linear 


attack matrices Tk, Ij, is always found to pass the K-L test. In this case, the residuals from remote estimator 
(Kalman filter) can be rewritten as (9). 


aS Xo) if1< k< kork = ky +L, when non-attacked (9) 
Zk ~ IN(0, 51) if ko < k < ko + L, when attacked 
Where Xo, 2, matrices, calculated as (10). 

Zo =X = CPCT + R; Xa = TATE + Ik (10) 


Under the influence of the linear attack, the covariance of system’s residual is clearly changed. 
Other attacks often change the mean. It shows how the linear attack is dangerous. According to [14], [15], 
[19], the Chi2 algorithm is different from the K-L algorithm in that it applies the quadratic form of z, value 
strings to test the significant deviation between of the error’s wanted value z, and the covariance. The Chi2 
procedure is described as (11). 


Tonia = min(k: Diiy—yo1 zi 271 z; 2 h) (11) 


According to [19]-[22], CUSUM algorithm differs from K-L and Chi2 algorithms in that it puts the 
theory of Wald into sequential analysis to analyze checked data’s anomalies. The CUSUM procedure is 
described as (12). 


fo, et) 
foot) 


Tes = min fk >1: maxS* 2 h}; SË = Dii In 


1sisk 


(12) 


3. WL-CUSUM AND FMA DETECTION ALGORITHMS 
3.1. WL-CUSUM detection algorithm 

WL-CUSUM algorithm is a special case of CUSUM algorithm. The behavior of the log-likelihood 
ratio (LLR) {S¥}ķ>; is introduced in Figure 2(a). It is easy to see that before the change point kg and after the 
change point ky + L — 1, the mean derivative of the LLR is negative, while between ky and ky + L — 1 it is 
positive. The stopping time is described as in (13) [17], [23], [24]. 


Pane k Lok yk pfa 
Tw, = min {k > L: max Si > h}; S; = Di ATE (13) 


where S* is the LLR, h is a chosen threshold. 
Considering a system X = [x,,X>,...x,]" ~ N(u,2) and supposing that X ~ N(y, Zo) when non- 
attacked, and X ~ N(7,2,) when attacked. This system is described in (14). 
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a K if1<k<kork>kọ+L 
pa 


N(n, 41) if ko <k <ko+L (14) 


In this case, the WL CUSUM’s statistic decision values gg are calculated according to (15), (16) [17], [23]: 


2 k> — (9k-1 + Sr if 9k-1 tSp > Oandk >L 

Ik ey Zh f Oif gk- +Sk<0ork<L (15) 
1, detSo 1 = ie 

Sp = 5 og T aE TD ET — 201 — w) (16) 

The stopping time of WL-CUSUM test Ty, is satisfied (17) [20]. 

Tw, = min(k = L: gx = h) (17) 


3.2. FMA detection algorithm 

The FMA is an algorithm that, for each time instant k > 1 , accomplishes a check between the 
alternative assumption H; and the null assumption Ho, according to the block of L observations 
Xk-L+1::- Xg (Figure 2(b)). For the time k + 1, it shifts one step by erasing the last observation x,_;41 and 
using the novel one x,,, to make block of the observations x,_,42,.-+)Xa1 [11], [12], [17], [23], [25]. The 
attack warning time of the FMA test is satisfied as (18). 


(18) 


Trma = min {k > L: gk = Vi Xi- a a n} 


fool%k-i+1) 


where h is a chosen threshold and y; > 0, for i = 1,..,L are any weights for causal filters or predefined 
coefficients. Assume that coefficients y; = y for i = 1,..,L, we have (19). 


foie) 
faye) 


=i L. foi k-i+1) 
k yd F foo k-i+1) 


= Df- yin SEs (19) 


In the case (change in covariance) described in (12), the FMA test’s gg values are calculated by (19), (20). 


1 det Zo = = 
SE = Sy {In — (x, = D'ET! = Zoe — wh (20) 
2 det x4 
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Figure 2. Describe detection procedure (a) WL-CUSUM and (b) FMA [20] 


4. APPLICATION AND DISCUSSION 

In this paper, to evaluate the linear attack detection ability of the FMA and WL-CUSUM algorithms, 
we use the same model of a MIMO system with two sensors, which has been published by Guo et al. [5]. 
Based on [5], we have the object’s discrete state model in (1) with following data: 
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a= hee aale = a Rea: = ka v = l aal 


Simulation data is used to evaluate the applicability of the algorithms. We check the possibility of 
the existence of threshold h, so that the two algorithms can detect attacked data, in case the K-L algorithm 
cannot. In (8) shows the correlation of two thresholds uand ô in the K-L algorithm. According to the 
dissection in [5], [15], we choose din the value pattern ô € [0; 2.544]. 


0 =6) A = Ho 20 =6 1.02627 = u 
ee O R al oS S Spe 1.0019 = 
1.0 =6, 1.1305 = Mp ’ 2544 s 10 = A 
15 =5, 1.0638 = 4, l ° . ° 


By applying MATLAB’s CVX toolbox to solve (7), we obtain the linear attack’s matrices Tko + 
Tke; Iko + Ike so that linear attack overcomes the K-L algorithm. To appraise the materiality of FMA and 
WL-CUSUM (with the coefficient y = 1), the authors perpend the circumstance of linear attack overcoming 
the K-L test at a small threshold 6 = 6, = 0.5. We establish the emulation dataset (50 s) with linear attack 
appearing in the value pattern from 20 s to 40 s to check Chi2, CUSUM, WL-CUSUM and FMA test. At the 
detection threshold of these tests h=0./, using (7), (8), (11), (12), (14)-(17) to compute attack’s stopping time 
Ta, we obtained graphs that illustrated in Figure 3. Four tests are implemented on a sequence of residuals 
from remote estimator (Figure 3(a)). The obtained results show that the linear attack is detected by the WL- 
CUSUM test at Ty, = 21 s,nu = 1, (correctly detected), (Figure 3(d)) and FMA test detected linear attack 
at Trma = 25s,nu = 1, (correctly detected), (Figure 3(e)). However, the CUSUM and Chi2 test obtain false 
alarm points, because they have nu = 1, Tcoysym = 4 s (Figure 3(b)); Tcey;2 = 2 s (Figure 3(c)) and they are 
not within the period of linear attack. 

With threshold value h=5.3, the authors similarly acquire simulation graphs as shown in Figure 4. 
All tests are implemented on a sequence of residuals from remote estimator as indicated in the Figure 4(a). 
Simulation results show that FMA and CUSUM test have Try, = 22s (Figure 4(e)), Teusum = 215 
(Figure 4(d)), nu = 1, (correct detection). However, the Chi2 and WL-CUSUM have Teyr = 4s, (Figure 
4(b)), Tw, = 0, nu = 0 (false detection) (Figure 4(c)). On the whole, to appraise linear attack detection over 
time interval ko ko + L) of each test, we use the worst-case probability of false alarm Ppa, the probability of 
missed detection Pma and correct detection probability P4 as shown in Figure 5. 


CUSUM,threshold h = 0.1: Ta =4 anda nu=1 
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FMA,threshold h = 0.1: Ta =25 and nu = 1 
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Time (s) 
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Figure 3. Linear attack detection with threshold 6 = 0.5 and h = 0.1 on (a) a sequence of residuals from 
remote estimator, using (b) CUSUM, (c) CHI2, (d) WL CUSUM and (e) FMA algorithms 
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CUSUM,threshold h = 5.3: Ta =21 and a nu = 1 
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Figure 4. Linear attack detection with threshold ô =0.5 and h=5.3 on (a) a sequence of residuals from remote 
estimator, using (b) CUSUM, (c) CHI2, (d) WL CUSUM and (e) FMA algorithms 
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Figure 5. Transient change detection criterion [17] 


“False alarm”: the alteration is found before it happens (T < kọ). The false alarm rate can be 
evaluated by Pr, within a time window Mg of anticipated length / and threshold a illustrated in (21) [17], 
[20], [23]: 


Pra (T,Mq) = Pra = supPol( <T<l+m,) <a] (21) 


“Missed detection”: the alteration is detected after its disappearance, or the change is never revealed. 
The missed detection rate is evaluated by the probability of missed detection illustrated in (22) [17], [20], [23]: 


Pma(T,L) = Pma = SUpPy,(T — ko + 1 > LIT > ko) (22) 
Ko2L 


according to [16], [17], [26], the Monte-Carlo estimation of Pra and Png is computed as in (23): 


= 1 = 1 

Pra = 5 ns nuk < ko; Pma = ~ Ekai nu(k); k >kọ+L-—1 (23) 
Graphs in Figures 6-8 show that, the linear attack overcoming K-L at thresholds 6 can be detected 

by the Chi2, CUSUM, WL-CUSUM, and FMA algorithms (thanks to the low false alarm probability Pra and 

low missed detection probability Pma of these algorithms). Secondly, Figures 7(a), 7(b), 8(a), 8(b) show that, 


the FMA and WL-CUSUM algorithms are much better than the traditional nonparametric Chi2 detector 
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(under the same check situations, missed detection probability and Prg of the Chi2 algorithm is larger than 
those of the WL-CUSUM and FMA algorithms). This issue can be explained that the Chi2 algorithm does 
not consider the transient change profiles of signals while the other algorithms can develop this necessity 
information. Thirdly, given an adequate level of Pfa (from 10° to 10°), Png of the FMA algorithm is smaller 
than that of the CUSUM, WL-CUSUM, Chi2 algorithms. In other words, the FMA algorithm’s detection 
ability is more superior than detection ability of the other algorithms. 
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S 
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Worst-case probability of false alarm Pfa 


Figure 6. Statistical performance comparison among some detection algorithms with thresholds when K-L 
is overcome with threshold 6 = 2.5 by 10° Monte Carlo simulation 


CHI2 Detection method CUSUM Detection method 


0.6 0.5 
* = æ- : delta=0.5 = æ- - delta=0.5 
FA Ta —Ə— delta=1.0 pai —©— delta=1.0 
i 1 x ofr delta=1.5 0.4 + F ‘e =-=- delta=1.5 
| Ve = a%- -delta=2.0 i X = æ- -delta=2.0 
o | = —E— delta=2.5 z3! i * —B— delta=2.5 
' TERT A- delta=2.544 j i SE EELS] fey A= delta=2.544 


Probablility of missed detection Pmd 
D 
Probablility of missed detection Pmd 


0.2 
0.1 
0 
103 105 104 10° 107 1071 10° 
Worst-case probablility of false alarm Pfa Worst-case probablility of false alarm Pfa 
(a) (b) 


Figure 7. Statistical performance detecting linear attack with some thresholds 6 (a) Chi2 detection algorithm 
and (b) CUSUM detection algorithm 
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Figure 8. Statistical performance detecting linear attack test with some thresholds 6 (a) WL-CUSUM 
detection algorithm and (b) FMA detection algorithm 


Some further tests are conducted on FMA algorithm to evaluate its robustness with respect to some 
parameters, including the attack duration and the coefficients. The Figure 9 shows P,,q which is presented as 
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a function of Pfa for dissimilar values of true attack duration L = {12,16,20} < L = 20, with the coefficient 
y=1.ForL< L, Pfa subordinates especially on the L. The smaller the putative true attack duration L, the 
higher Pfa. Besides, when L is reduced, Pma is changed. In other words, both of Prq and Pma are sensitive to 
the true attack duration L. The issue can be clarified by the fact that small attack duration L leads to small 
changes in the observable distribution, thus raising Pfa and changing Pma. With different values of coefficient 
y = {0.6, 0.7, 0.8, 0.9, 1.0, 1.1, 1.2, 1.3, 1.4,1.5}, when using the true attack duration L= L = 20, and the 
threshold ô = 2.5, we have results as shown in Figure 10. The probability of missed detection Pma is presented 
as a function of Ppa for the magnitude of change from 60% to 150% and the “shape” of the change is changed 
as shown in Figure 10(a). Figure 10(b) shows that error probabilities (Pma and Pfa) are presented as a function 
of coefficients y. The higher the coefficient y, the smaller the probability of missed detection P,,g for the 
change of threshold h from 0.1 to 8.0 as shown in Figure 10(c). And in the same case, Figure 10(d) shows that 
the higher the coefficient y, the higher the probability of false alarm Pr, but the changes are rather small. The 
issue can be clarified by the fact that small coefficients y lead to small changes in the observable distribution, 
thus abating Pmq and raising Pfa (with each threshold A). 
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Figure 9. The FMA’s sensitivity with relation to the attack duration 
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Figure 10. The FMA’s sensitivity with relation to the coefficients, (a) Pfa_Pmd, (b) y_Pfa and Pmd, and 
(c) y_Pmd, and (d) y_Pfa 
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5. CONCLUSION 

This paper addresses the ability to detect the linear attack of WL-CUSUM and FMA algorithms 
when it passes the K-L algorithm. The tested object is described by the discrete-time state space model with 
unknown conditions and random noises. The traditional residual generation method (Kalman filter) is used. 
The WL-CUSUM and FMA algorithms use the sequence of residuals for ascertaining the stopping time at 
which the linear attack is detected. Simulation results on the tested object (the wireless communication 
process from sensors to controller) show that those algorithms outperform the traditional detectors (K-L and 
Chi2). These results also show that we can apply the WL-CUSUM or FMA algorithm as a back-end detection 
layer in a string of techniques which can be used to secure data integrity of industrial system. In addition, the 
analysis of simulation results also shows that the linear attack detection ability of the FMA algorithm is better 
than that of the Chi2, CUSUM, WL-CUSUM algorithms. The paper also analyses the influence of the 
coefficients and the true attack duration L to the ability to detect the linear attack of FMA algorithm. More 
profound mathematical research of these issues is an important perspective for the future study on the ability 
to detect the linear attack. 
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